Bug#949482: exim4-config: Please drop the pointless warning "Warning: No server certificate defined; will use a selfsigned one."

Sun Jun 14 12:01:48 BST 2020

On 2020-06-14 12:16:06 +0200, Francesco Poli wrote:
> On Tue, 28 Apr 2020 22:23:31 +0200 Vincent Lefevre wrote:
> 
> > On 2020-04-28 19:22:34 +0200, Francesco Poli wrote:
> > > On Tue, 21 Jan 2020 13:55:20 +0100 Vincent Lefevre <vincent at vinc17.net>
> > > wrote: [...]
> > > > Each time I upgrade exim4, I get:
> > > > 
> > > > Setting up exim4-config (4.93-9) ...
> > > > 2020-01-21 13:27:26 Warning: No server certificate defined; will use a selfsigned one.
> > > >  Suggested action: either install a certificate or change tls_advertise_hosts option
> > > 
> > > It is also written to /var/log/exim4/mainlog at *each* queue run (thus
> > > twice per hour).
> > 
> > Twice per hour by default. I run the queue every 5 minutes in order
> > to get greylisted mail sent faster. Thus I get this message every
> > 5 minutes.
> [...]
> 
> It seems to me that this warning is no longer written by
> exim4/4.94-2 ...
> 
> Is this solved in the new upstream version 4.94 ?
> Should this bug report be closed as fixed in exim4/4.94-2 ?

I haven't upgraded to 4.94-2 yet, but there has been an improvement
in 4.94-1: the message no longer appears each time the queue is run:

2020-06-05 12:23:19 Warning: No server certificate defined; will use a selfsigned one.
 Suggested action: either install a certificate or change tls_advertise_hosts option
2020-06-05 12:23:19 Start queue run: pid=1961359
2020-06-05 12:23:19 End queue run: pid=1961359
2020-06-05 12:28:19 Warning: No server certificate defined; will use a selfsigned one.
 Suggested action: either install a certificate or change tls_advertise_hosts option
2020-06-05 12:28:19 Start queue run: pid=1963247
2020-06-05 12:28:19 End queue run: pid=1963247
2020-06-05 13:14:20 Warning: No server certificate defined; will use a selfsigned one.
 Suggested action: either install a certificate or change tls_advertise_hosts option
2020-06-05 13:14:20 exim 4.94 daemon started: pid=1983516, -q5m, listening for SMTP on [127.0.0.1]:25 [::1]:25
2020-06-05 13:14:20 Start queue run: pid=1983517
2020-06-05 13:14:20 End queue run: pid=1983517
2020-06-05 13:19:20 Start queue run: pid=1986520
2020-06-05 13:19:20 End queue run: pid=1986520
2020-06-05 13:24:20 Start queue run: pid=1987227
2020-06-05 13:24:20 End queue run: pid=1987227

However, it still appears when the service is restarted:

2020-06-14 12:09:22 Start queue run: pid=3686663
2020-06-14 12:09:22 End queue run: pid=3686663
2020-06-14 12:14:22 Start queue run: pid=3686820
2020-06-14 12:14:22 End queue run: pid=3686820
2020-06-14 12:19:22 Start queue run: pid=3687035
2020-06-14 12:19:22 End queue run: pid=3687035
2020-06-14 12:23:25 Warning: No server certificate defined; will use a selfsigned one.
 Suggested action: either install a certificate or change tls_advertise_hosts option
2020-06-14 12:23:25 exim 4.94 daemon started: pid=3687887, -q5m, listening for SMTP on [127.0.0.1]:25 [::1]:25
2020-06-14 12:23:25 Start queue run: pid=3687888
2020-06-14 12:23:25 End queue run: pid=3687888

So, either there's nothing wrong and there should be no warning, or
something is wrong and the dpkg configuration system should handle
the issue. For instance, if tls_advertise_hosts needs to be changed,
this should be part of update-exim4.conf.

But instead of changing tls_advertise_hosts, since a certificate
may be needed, the configuration system should propose to use one,
possibly a self-signed one as this may be sufficient for a limited
use (e.g. a single user with several machines or a group of users,
where one can rely on the fingerprint rather than the signature).

For instance, postfix, which uses libssl, depends on ssl-cert,
which creates a self-signed certificate at install time, and
postfix can use it. The apache2 web server can also use it, though
apache2 only recommends ssl-cert.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)